Updated zabbix packages fix two security vulnerabilities

Updated zabbix packages fixes security vulnerability: This update multiples vulnerabilities. - Fix vulnerability for remote command execution injection ZBX-7479, CVE-2013-6824 - Fix SQL injection vulnerability ZBX-7091, CVE-2013-5743 - Fix XSS issues ZBX-6952...

Updated elinks package fixes a security vulnerability

Updated elinks package fixes security vulnerability: When verifying SSL certificates, elinks fails to warn the user if the hostname of the certificate does not match the hostname of the website. The elinks package has been updated to version 0.12-pre6 and patched to fix this issue...

Updated bind package fixes security vulnerability

Updated bind packages fix security vulnerability: Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with t...

Updated openssl package fixes security vulnerabilities

Updated openssl packages fix security vulnerabilities: The DTLS retransmission implementation in OpenSSL through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by...

Updated dcraw and ufraw package fix security vulnerability

Due to flaws in the embedded copy of LibRaw in dcraw and ufraw, corrupt input files might trigger a division by zero, an infinite loop, or a null pointer dereference CVE-2013-1438. The dcraw and ufraw packages have been updated to their newest versions and patched to fix the flaws in the embedded...

Updated nagios package fixes security vulnerability

A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-one error within the processcgivars function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios we...

Updated qt4 package fixes security vulnerability

It was discovered that QXmlSimpleReader in Qt incorrectly handled XML entity expansion. An attacker could use this flaw to cause Qt applications to consume large amounts of resources, resulting in a denial of service CVE-2013-4549...

Updated openssl package fixes security vulnerability

A flaw was reported for OpenSSL 1.0.1e, that can cause application using OpenSSL to crash when using TLS version 1.2 CVE-2013-6449. Also, a NULL pointer reference issue has been fixed in SSLgetcertificate mga11549...

Updated nodejs package fixes security vulnerabilities

A denial of service flaw was found in the way Node.js handled pipelined HTTP requests. A remote attacker could use this flaw to send an excessive amount of HTTP requests over a network connection, causing Node.js to use an excessive amount of memory and possibly exit when all available memory is...

Updated firefox and thunderbird packages fix security vulnerabilities

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to terminate unexpectedly or, potentially, execute arbitrary code with the privileges of the user running Firefox or Thunderbird CVE-2013-5609,...

Updated openjpeg package fixes security vulnerabilities

Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application...

Updated librsvg and gtk+3.0 packages fix security vulnerability

librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference CVE-2013-1881. gtk+3.0 has been patched to cope with the changes in SVG loading due to the fix in librsvg...

Updated ruby package fixes security vulnerability

Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. An attacker could possibly use this issue with an application that converts text to floating point numbers to cause the application to crash, resulting in a denial of service, or possibly execute arbitra...

Updated xml-security package fixes security vulnerability

James Forshaw discovered that Apache XML Security for Java incorrectly validated CanonicalizationMethod parameters. An attacker could use this flaw to spoof XML signatures CVE-2013-2172...

Updated cxf, wss4j, and jacorb packages fix security vulnerability

Multiple denial of service flaws were found in the way StAX parser implementation of Apache CXF, an open-source web services framework, performed processing of certain XML files. If a web service application utilized the services of the StAX parser, a remote attacker could provide a...

Updated libkdcraw packages fix CVE-2013-1438 & CVE-2013-1439

Updated libkdcraw packages fix libraw security vulnerabilities: It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to crash, resulting in a denia...

Updated asterisk packages fix CVE-2013-7100

Updated asterisk packages fix security vulnerability: Buffer overflow in the unpacksms16 function in apps/appsms.c in Asterisk Open Source 1.8.x before 1.8.24.1, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before 10.12.4-digiumphones; and Certified...

Updated chromium-browser-stable fixes multiple vulnerabilities

Updated chromium-browser-stable packages fix security vulnerabilities: Pinkie Pie discovered multiple memory corruption issues CVE-2013-6632. Andrey Labunets discovered that the wrong URL was used during validation in the one-click sign on helper CVE-2013-6634. cloudfuzzer discovered use-after-fr...

Updated gnupg package fixes CVE-2013-4576

Updated gnupg package fixes security vulnerability: Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts CVE-2013-4576...

Updated apache-mod_nss package fixes CVE-2013-4566

Updated apache-modnss package fixes security vulnerability: A flaw was found in the way modnss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, modnss...

Updated wireshark packages fix two security vulnerabilities

Updated wireshark packages fix security vulnerabilities: The SIP dissector could go into an infinite loop CVE-2013-7112. The NTLMSSP v2 dissector could crash CVE-2013-7114...

Updated php packages fix multiple security vulnerabilities

Updated php packages fix security vulnerabilities: Stefan Esser discovered that PHP incorrectly parsed certificates. An attacker could use a malformed certificate to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code CVE-2013-6420. It was discovered that PHP...

Updated munin packages fixes two security vulnerabilities

Updated munin packages fix security vulnerabilities: The Munin::Master::Node module of munin does not properly validate certain data a node sends. A malicious node might exploit this to drive the munin-html process into an infinite loop with memory exhaustion on the munin master CVE-2013-6048. A...

Updated fcron package fixes security vulnerability and init script

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via a symlink attack on an unspecified file CVE-2010-0792. An error in the init script as also been corrected...

Updated python3 and related packages fix security vulnerabilities and prevent an error

Changed behavior of ssl.matchhostname to follow RFC 6125 Also python-virtualenv has had incdir settings altered to avoid "include nested too deeply" error mga11283...

Updated kernel-vserver packages fix security vulnerabilities

This kernel-vserver update provides an update to the 3.10 longterm branch, currently 3.10.24 and fixes the following security issues: The ipv6createtempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.10 does not properly handle problems with the generation of IPv6 temporary...

Updated kernel-rt packages fix security vulnerabilities

This kernel-rt update provides an update to the 3.10 longterm branch, currently 3.10.24 and fixes the following security issues: The ipv6createtempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.10 does not properly handle problems with the generation of IPv6 temporary addresse...

Updated kernel-tmb packages fix security vulnerabilities

This kernel-tmb update provides an update to the 3.10 longterm branch, currently 3.10.24 and fixes the following security issues: The ipv6createtempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.10 does not properly handle problems with the generation of IPv6 temporary...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update provides an update to the 3.10 longterm branch, currently 3.10.24 and fixes the following security issues: The ipv6createtempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.10 does not properly handle problems with the generation of IPv6 temporary...

Updated kernel and related packages fix security vulnerabilities

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.24 and fixes the following security issues: The ipv6createtempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.10 does not properly handle problems with the generation of IPv6 temporary addresses,...

Updated flash-player-plugin package fixes vulnerabilities

Adobe Flash Player 11.2.202.332 contains fixes to critical security vulnerabilities found in earlier versions. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update resolves a type confusion vulnerability that could lead to...

Updated samba package fixes multiple vulnerabilities

Updated samba packages fix security vulnerabilities: Samba before 3.6.22 incorrectly allows login from authenticated users if the requiremembershipof parameter of pamwinbind specifies only invalid group names CVE-2012-6150. It was discovered that multiple buffer overflows in the processing of...

Updated mediawiki packages fix security vulnerabilities

Updated mediawiki packages fix security vulnerabilities: Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. Internal review while debugging a site issue discovered that...

Updated owncloud package fixes CVE-2013-6403

Updated owncloud package fixes security vulnerability: Possible security bypass on admin page under certain circumstances and MariaDB CVE-2013-6403. The owncloud package has been updated to version 5.0.13, fixing this and many other issues...

Updated pixman package fixes security vulnerability

Bryan Quigley discovered an integer underflow in pixman. If a user were tricked into opening a specially crafted file, an attacker could cause a denial of service via application crash CVE-2013-6425...

Updated gimp package fixes security vulnerabilities

An integer overflow flaw and a heap-based buffer overflow were found in the way GIMP loaded certain X Window System XWD image dump files. A remote attacker could provide a specially crafted XWD image file that, when processed, would cause the XWD plug-in to crash or, potentially, execute arbitrar...

Updated links package fixes security vulnerability

Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode CVE-2013-6050...

Updated openttd package fixes security vulnerability

A missing validation in OpenTTD before 1.3.3 allows remote attackers to cause a denial of service crash by forcefully crashing aircraft near the corner of the map. This triggers a corner case where data outside of the allocated map array is accessed CVE-2013-6411...

Updated quassel package fixes security vulnerability

Security vulnerability in Quassel before 0.9.2 through which a manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases CVE-2013-6404...

Updated ganglia-web package fixes security vulnerability

XSS issue in ganglia-web makes it possible to execute JavaScript in victims' browser after tricking the victim into opening a specially crafted URL CVE-2013-6395...

Updated subversion package fixes security vulnerabilities

moddontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured b...

Updated drupal package fixes security vulnerabilities

Drupal's form API has built-in cross-site request forgery CSRF validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations CVE-2013-6385. Drupal core directly used the mtrand pseudorandom number...

Updated busybox package fixes security vulnerability

It was found that the mdev BusyBox utility could create certain directories within /dev with world-writable permissions. A local unprivileged user could use this flaw to manipulate portions of the /dev directory tree CVE-2013-1813...

Updated 389-ds-base package fixes CVE-2013-4485

Updated 389-ds-base packages fix security vulnerability: It was discovered that the 389 Directory Server did not properly handle certain Get Effective Rights GER search queries when the attribute list, which is a part of the query, included several names using the '@' character. An attacker able ...

Updated moodle package fixes security vulnerabilities

Some files were being delivered with incorrect headers in Moodle before 2.4.7, meaning they could be cached downstream CVE-2013-4522. Cross-site scripting in Moodle before 2.4.7 due to JavaScript in messages being executed on some pages CVE-2013-4523. The file system repository in Moodle before...

Updated graphicsmagick packages fix CVE-2013-4589

Updated graphicsmagick packages fix security vulnerability: GraphicsMagick before 1.3.18 is found to have a vulnerability which can be exploited by malicious people to cause a Denial of Service DoS. The vulnerability is caused due to an error within the "ExportAlphaQuantumType" function found in...

Updated gnutls package fixes security vulnerability

A DNS server that returns more 4 DANE entries could corrupt the memory of a requesting client using the DANE library from GnuTLS before 3.1.15 and 3.2.5 CVE-2013-4466. This updates GnuTLS to version 3.1.16, fixing this issue and several other bugs...

Updated polarssl, pdns & ragel packages fix CVE-2013-5915

Updated polarssl packages fix security vulnerability: The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount ...

Updated perl-HTTP-Body packages fix CVE-2013-4407

Updated perl-HTTP-Body package fixes security vulnerability: Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to...

Updated bip packages fix CVE-2013-4550

Updated bip package fixes security vulnerability: bip 0.8.8 and earlier contains an issue where failed SSL handshakes result in a resource leak. A remote attacker can use this flaw to cause bip to run out of resources, resulting in a denial of service CVE-2013-4550...